Lux Ex Umbra

Tuesday, January 30, 2018

CSE Commissioner calls for changes to Bill C-59

CSE Commissioner Jean-Pierre Plouffe called for changes in Bill C-59 in testimony to the Standing Committee on Public Safety and National Security today.

The Commissioner was accompanied by OCSEC Executive Director Bill Galbraith and special legal advisor Gérard Normand, who also testified. The transcript of the meeting is not yet available, but you can watch the hearing here. (It's also worth watching the testimony by Michael Vonn and Ray Boisvert that follows.)

In a document provided to the committee, the Commissioner called for nine substantive and thirteen technical amendments to the bill. [The original version of this blog post listed only the seven proposals outlined in this earlier submission by the Commissioner, which was the only one available online on January 30th.]

Here are the Commissioner's recommendations:

Substantive recommendations

1. The Intelligence Commissioner (IC) should approve the active cyber operations [and] defensive cyber operations that are authorized by the Minister pursuant to subsections 30(1) and 31(1) of the Communications Security Establishment Act (CSE Act).

2. The IC should have the right to request clarifications with respect to the information presented to him, short of receiving or accessing information that the Minister would not have seen.

3. The IC should be able to conditionally approve authorizations, pursuant to section 13 of the IC Act.

4. The IC should prepare a public annual report to the Prime Minister for him to table in both Houses.

5. Subsection 21(1) of the IC Act should provide that while the decision of the IC must be made within a 30-day period, the reasons could follow later.

6. Regarding subsection 37(3) of the CSE Act, it is suggested that the decision by a Minister to extend, for one more year, an authorization on matters of foreign intelligence or cybersecurity should be reviewable by the IC.

7. Paragraph 273.65(2)(c) of the National Defence Act... states that the Minister needs to be satisfied that "the expected foreign intelligence value of the information that would be derived from the interception justifies it". This has not been replicated in Bill C-59 and should be added.

8. Sections 38 to 40 of the CSE Act provide for a regime dealing with "repeal and amendment" that appears inconsistent and should be re-examined.

9. Subsection 41(2) of the CSE Act should provide that emergency authorizations issued by the Minister in foreign intelligence and cybersecurity matters are reviewable by the IC and base its process on the United Kingdom model under the Investigatory Powers Act 2016.

Technical recommendations

1. The wording in subsection 23(1) of the Intelligence Commissioner Act (IC Act) should be clarified to specify what is included in "all information that was before [the Minister]" that is provided to the Intelligence Commissioner (IC).

2. Regulation-making authority should be inserted in the IC Act to enable the creation of regulations for carrying out the purposes and provisions of the Act, as well as on more specific matters.

3. The Communications Security Establishment Act (CSE Act) and the Canadian Security Intelligence Service Act (CSIS Act) should clearly provide that both the authorization/determination and all information that led to the decision by the Minister should be provided to the IC for the purpose of his review.

4. The wording in section 13 of the IC Act should be amended to state that the IC should review all the information in order to determine whether the conclusions of the Minister are reasonable.

5. Section 25 of the IC Act should clarify the type and nature of the information being contemplated, such as briefings, or backgrounders, to help the IC exercise his role. The word "may" should be replaced by "must" for information requested by the IC.

6. The IC Act should provide that records obtained by the IC in the course of his duties are not under the IC's control, for Access to Information Act and Privacy Act purposes.

7. The wording in subsection 11.03(3) of the CSIS Act should be similar to that in subsections 29(1) of the CSE Act and section 11.23 of the CSIS Act.

8. Some terms found in Bill C-59 should be defined or clarified for the benefit of those responsible for enforcing the legislation, as well as those who will be asked to issue authorizations or approvals.

9. The entity proposed as the IC should be called the "Judicial Intelligence Commissioner" or the "Judicial Commissioner for Intelligence" and the title of the legislation changed to reflect the name.

10. The threshold set out in subsection 11.03(2) of the CSIS Act, is too low and will make the IC's review practically impossible.

11. The Minister responsible for the IC Act should be the Prime Minister.

12. The period of validity for authorizations issued under subsections 30(1) and 31(1) of the CSE Act [i.e., defensive and active cyber operation authorizations] should be up to 6 months.

13. Section 10 of the IC Act should clarify that the concept of legal advisor is covered by the term "person having specialized knowledge".

The terms that the Commissioner recommended be defined are:

a. "information" (as used throughout the CSE Act);
b. "acquire", "collection" and "interception" (as used in the CSE Act, as well as the CSIS Act; the term "interception" is defined in the Criminal Code but is problematic with respect to the foreign intelligence collection process);
c. "disclosure" and "disseminate" (as used in the CSE Act);
d. "predominantly" (as used in the CSIS Act);
e. "publicly available dataset" (this term is defined in the CSIS Act but the definition is circular)

As can be seen, the CSE Commissioner's recommendations were limited to matters concerning the role of the proposed Intelligence Commissioner, which the CSE Commissioner will become if the bill is passed.

Especially notable were the Commissioner's recommendations that ministerial authorizations for active and defensive cyber operations be subject to the approval of the Intelligence Commissioner and that the Commissioner be able to specify conditions when approving authorizations, both of which were also recommended in the CIPPIC/Citizen Lab report (recommendations #5 and #9).

In response to a question, the Commissioner and his legal advisor also expressed general agreement with the CIPPIC/Citizen Lab report's recommendation (#6) that the Intelligence Commissioner provide written reasons for all decisions.

The Commissioner's appearance before the committee was limited to one hour, which is a great shame as a productive discussion could easily have gone on for several hours, but at least the Commissioner and the subsequent witnesses were given a respectful hearing and the questions asked of them were constructive. I honestly don't understand how the previous government found that kind of basic decency so difficult to display.

Update 26 February 2018:

On 23 February, the CSE Commissioner submitted a number of additional recommendations to the standing committee examining Bill C-59, including two more pertaining to the CSE Act part of the bill:

1. "Amend the provisions falling under the Procedure part of the CSE Act (sections 34 to 37) to ensure that the Intelligence Commissioner can review the full content of an authorization."

2. "Amend subsections 27(1), 30(1) and 31(1) of the CSE Act to ensure that the Minister can issue authorizations that will be lawful “despite any other law, including that of any foreign state” as opposed to the current and more limiting wording of “despite any other Act of Parliament or of any foreign state”. Proceed to amend subsections 28(1) and (2) of the same Act accordingly, save for the reference to foreign state."

The Commissioner's submission contains brief explanations of each of the recommendations.

Monday, January 22, 2018

ATipper #11: JRO Strategic Research Contexts

Another item from the Access to Information files:

According to access release A-2016-00068, CSE's Joint Research Office, which conducts research in support of both the SIGINT program and the IT Security program, groups its efforts into "Strategic Research Contexts".

As of 2014, the JRO had 20 SRCs:

The subjects of two of the SRCs, R5 and R9, were redacted from the release.

Fortunately, a list of the 19 SRCs that existed in 2013 has already been published, so those who are curious can discover for themselves what the big secrets were. (See page 4.)

Friday, January 19, 2018

RIP Carl Freeland

The last surviving original staff member of CSE, Carl Freeland, passed away on January 13th.

Freeland served in the Canadian Army during the Second World War and was assigned to the Army's No. 1 Discrimination Unit (DU). 1 DU, a number of other service units, and parts of the Examination Unit, Canada's original code-breaking bureau, were later combined to become the Joint Discrimination Unit, which went on to form the basis of Canada's post-war SIGINT agency, known as the Communications Branch of the National Research Council (CBNRC) when it was created in 1946 and later renamed the Communications Security Establishment.

According to his obituary, Freeland's "proficiency in typing resulted in his assignment" to the DU.

He went on to spend his entire career at CBNRC/CSE, serving as the agency's liaison officer to GCHQ (CANSLO/L) in the mid-1970s, and finally retiring in 1985.